CVE-2025-6755 is a path traversal vulnerability classified under CWE-22 found in the Game Users Share Buttons plugin for WordPress, affecting all versions up to and including 1.3.0. The vulnerability arises from insufficient validation of the themeNameId parameter in the ajaxDeleteTheme() AJAX function. An attacker with Subscriber-level privileges can craft a request that includes relative path sequences (e.g., ../../../../wp-config.php) to delete arbitrary files on the server. This arbitrary file deletion can escalate to remote code execution by removing critical files or manipulating the environment, potentially compromising the entire WordPress installation. The vulnerability requires low attack complexity and no user interaction, but does require authenticated access at the Subscriber level, which is a low-privilege role in WordPress. The CVSS 3.1 base score is 8.8, reflecting network attack vector, low complexity, low privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No patches or official fixes are currently linked, and no known exploits have been reported in the wild, but the risk remains significant due to the ease of exploitation and potential damage. The vulnerability was publicly disclosed on June 28, 2025, and assigned by Wordfence.

This vulnerability can have severe consequences for organizations running WordPress sites with the affected plugin. Attackers can delete critical files such as configuration files, leading to site downtime, data loss, or complete compromise of the web server. Remote code execution enables attackers to execute arbitrary commands, potentially leading to full system compromise, data breaches, or lateral movement within the network. The impact extends to confidentiality (exposure of sensitive data), integrity (unauthorized file deletion or modification), and availability (site outages). Since the vulnerability requires only Subscriber-level access, attackers can exploit it by registering or compromising low-privilege accounts, increasing the attack surface. This can affect e-commerce sites, blogs, corporate websites, and any WordPress-based infrastructure, causing reputational damage and financial loss.

Immediate mitigation involves removing or disabling the Game Users Share Buttons plugin until a vendor patch is available. Administrators should restrict Subscriber-level permissions to trusted users and monitor for suspicious AJAX requests targeting the ajaxDeleteTheme function. Implementing Web Application Firewall (WAF) rules to detect and block path traversal patterns in HTTP requests can reduce risk. Regularly audit user accounts to prevent unauthorized Subscriber registrations. If possible, apply custom code fixes to sanitize and validate the themeNameId parameter rigorously, ensuring it cannot contain directory traversal sequences. Backup critical files frequently to enable recovery from deletion attacks. Monitor logs for unusual file deletion attempts and anomalous behavior. Engage with the plugin vendor or community for updates and patches. Finally, consider isolating WordPress instances and limiting file system permissions to minimize damage scope.